Distributed Guessing Attack to hack VISA cards in just six seconds

A group of security researchers discovered a new method dubbed Distributed Guessing Attack to hack VISA credit card in just 6 seconds.

A group of security researchers from the Newcastle University devised a method to hack VISA credit cards is just six seconds.

The technique relies on a Distributed Guessing Attack in which online payment websites are used to discover the data on VISA credit cards. The attackers submit data to online payment websites and analyze the reply to the transaction to discover whether or not the data was correct.

“Research published in the academic journal IEEE Security & Privacy, shows how the so-called Distributed Guessing Attack is able to circumvent all the security features put in place to protect online payments from fraud.” reads the press release. “

“By automatically and systematically generating different variations of the cards security data and firing it at multiple websites, within seconds hackers are able to get a ‘hit’ and verify all the necessary security data.”

Below a video PoC of Distributed Guessing Attack:

The investigators speculated the method is likely to have been used in the recent cyber attack against the Tesco bank that resulted in the theft of £2.5m.

The researchers demonstrated that is is possible to launch a Distributed Guessing Attack to guess card numbers, expiry dates and security codes of any Visa credit or debit card. The method is simple as effective, the experts discovered that online payment systems don’t detect multiple invalid payment requests from different websites. An attacker can try an unlimited amount of guesses on each card data field splitting the attempts os several websites. The attackers can make between 10 and 20 guesses on each website.

“This sort of attack exploits two weaknesses that on their own are not too severe but when used together, present a serious risk to the whole payment system,” explains Mohammed Ali, a PhD student in Newcastle University’s School of Computing Science and lead author on the paper.

“Firstly, the current online payment system does not detect multiple invalid payment requests from different websites. This allows unlimited guesses on each card data field, using up to the allowed number of attempts – typically 10 or 20 guesses – on each website.

“Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it’s quite easy to build up the information and piece it together like a jigsaw.”

Ali explained that attackers can gather the card information one field at a time making impossible for merchants to detect the fraudulent activity.

“The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time.”

The attacker can use each generated card field in succession to generate the next field and so on.

“So even starting with no details at all other than the first six digits – which tell you the bank and card type and so are the same for every card from a single provider – a hacker can obtain the three essential pieces of information to make an online purchase within as little as six seconds.”

The researchers highlighted that only the VISA network was vulnerable to the Distributed Guessing Attack.

The MasterCard network is centralized and is able to detect a Distributed Guessing Attack after less than 10 attempts, even when those payments were distributed across multiple networks.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.